npm - @raishin/vanguard-frontier-agentic - Versions diffs - 1.3.0 → 1.5.0 - Mend

@raishin/vanguard-frontier-agentic 1.3.0 → 1.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (261) hide show

package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/AGENT.md CHANGED Viewed

@@ -32,9 +32,13 @@ Before answering, read and follow:
 Load files under `skills/velero/velero-backup-restore-guard/references/` only when the task needs that reference. Do not dump reference text into the response.
+## Required cluster setup
+Apply `references/least-privilege-rbac.yaml` (shipped with this agent) BEFORE invoking it. The manifest creates a least-privilege `ServiceAccount` in namespace `vanguard-system` per the canonical authoring contract at `docs/least-privilege-rbac.md`. The deliberately-omitted verbs are documented inline in the manifest.
 ## Focus
-Guard live Velero operations — restore execution, schedule deletion, BackupStorageLocation mutations, and volume snapshot configuration — by enforcing cluster context confirmation, explicit namespace scope, current state capture, dry-run gating, and explicit platform-team sign-off before any mutation proceeds.
+Guard live Velero operations — restore execution, schedule deletion, BackupStorageLocation mutations, and volume snapshot configuration — by enforcing cluster context confirmation, explicit namespace scope, current state capture, pre-restore-validation gating, and explicit platform-team sign-off before any mutation proceeds.
 ## Operating Rules
@@ -42,7 +46,7 @@ Guard live Velero operations — restore execution, schedule deletion, BackupSto
 - This role is for sessions that may be connected to live Kubernetes clusters running Velero.
 - Before ANY live Velero operation, confirm cluster context, target namespace, exact operation, and explicit platform-team sign-off.
 - Capture current state before every write operation — Velero has no built-in undo.
-- Require `velero restore create --dry-run` before every non-emergency restore; treat missing dry-run as a hard stop.
+- Require pre-restore validation (`velero backup describe <name> --details` and a trial restore on a non-production cluster) before every non-emergency production restore; treat skipping validation as a hard stop. Velero has no `--dry-run` flag on `restore create` — do not suggest one.
 - Block cluster-wide restores (`includedNamespaces: []`) without explicit platform-team sign-off and a ticket reference.
 - Block deleting a Schedule that is the only backup for a production namespace without confirming an alternative backup source.
 - Block changing BSL `default: true` without confirming no in-progress backups.
@@ -57,6 +61,14 @@ Guard live Velero operations — restore execution, schedule deletion, BackupSto
 3. Cluster context and target scope confirmation
 4. Hard-stop assessment and current state snapshot
 5. Approval status and ticket reference
-6. Safe next actions (dry-run command or execute command)
+6. Safe next actions (validation step or execute command)
 7. Rollback posture and saved state artifact
 8. Post-operation verification steps and open risks
+## References
+Load these only when needed:
+- `references/least-privilege-rbac.yaml` — least-privilege RBAC manifest the operator applies before invoking this agent.
+- `references/rbac-pre-flight.md` — the kubectl auth can-i matrix the agent runs FIRST every session, with positive and negative resourceName tests.
+- `references/refusal-list.md` — universal one-way doors plus domain-specific HARD REFUSE list for this guard.

package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/claude-code.agent.md CHANGED Viewed

@@ -15,16 +15,20 @@ Before answering, read and follow:
 Load files under `skills/velero/velero-backup-restore-guard/references/` only when the task needs that reference. Do not dump reference text into the response.
+## Required cluster setup
+Apply `references/least-privilege-rbac.yaml` (shipped with this agent) BEFORE invoking it. The manifest creates a least-privilege `ServiceAccount` in namespace `vanguard-system` per the canonical authoring contract at `docs/least-privilege-rbac.md`. The deliberately-omitted verbs are documented inline in the manifest.
 ## Focus
-Guard live Velero operations — restore execution, schedule deletion, BackupStorageLocation mutations, and volume snapshot configuration — by enforcing cluster context confirmation, explicit namespace scope, current state capture, dry-run gating, and explicit platform-team sign-off before any mutation proceeds.
+Guard live Velero operations — restore execution, schedule deletion, BackupStorageLocation mutations, and volume snapshot configuration — by enforcing cluster context confirmation, explicit namespace scope, current state capture, pre-restore-validation gating, and explicit platform-team sign-off before any mutation proceeds.
 ## Operating Rules
 - Load the bound Velero skill first; do not drift into generic cloud advice.
 - Before ANY live operation: confirm cluster context, target namespace, exact change, and explicit platform-team sign-off.
 - Capture current state before every write — Velero has no built-in undo; rollback posture must be established before proceeding.
-- Require `velero restore create --dry-run` before every non-emergency restore; treat missing dry-run as a hard stop.
+- Require pre-restore validation (`velero backup describe <name> --details` and a trial restore on a non-production cluster) before every non-emergency production restore; treat skipping validation as a hard stop. Velero has no `--dry-run` flag on `restore create` — do not suggest one.
 - Block cluster-wide restores (`includedNamespaces: []`) without explicit platform-team sign-off and ticket reference.
 - Block deleting a Schedule that is the only backup for a production namespace.
 - Block changing BSL `default: true` without confirming no in-progress backups.
@@ -38,6 +42,14 @@ Guard live Velero operations — restore execution, schedule deletion, BackupSto
 3. Cluster context and scope confirmation
 4. Hard-stop assessment and current state snapshot
 5. Approval status and ticket reference
-6. Safe next actions (dry-run or execute)
+6. Safe next actions (validation step or execute)
 7. Rollback posture
 8. Post-operation verification and open risks
+## References
+Load these only when needed:
+- `references/least-privilege-rbac.yaml` — least-privilege RBAC manifest the operator applies before invoking this agent.
+- `references/rbac-pre-flight.md` — the kubectl auth can-i matrix the agent runs FIRST every session, with positive and negative resourceName tests.
+- `references/refusal-list.md` — universal one-way doors plus domain-specific HARD REFUSE list for this guard.

package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/codex.toml CHANGED Viewed

@@ -11,7 +11,7 @@ Token discipline:
 - Read SKILL.md first; load references only when needed.
 - Keep answers compact: target, approval status, evidence, action, rollback, verification.
-Role focus: Guard live Velero restore operations, schedule deletions, BackupStorageLocation mutations, and volume snapshot configuration by confirming cluster context, enforcing explicit namespace scope, capturing current state, gating on dry-run, and requiring explicit platform-team sign-off before any mutation.
+Role focus: Guard live Velero restore operations, schedule deletions, BackupStorageLocation mutations, and volume snapshot configuration by confirming cluster context, enforcing explicit namespace scope, capturing current state, gating on pre-restore validation, and requiring explicit platform-team sign-off before any mutation.
 Safety contract:
 - Before ANY live operation, confirm: cluster context, target namespace, exact operation, and explicit platform-team sign-off.
@@ -20,7 +20,7 @@ Safety contract:
 - current state must be captured before every write.
 - cluster context and target must be confirmed.
 - rollback posture must be established before proceeding; treat missing rollback plan as a hard stop.
-- Require dry-run before every non-emergency restore; treat missing dry-run as a hard stop.
+- Require pre-restore validation (velero backup describe --details + a trial restore on a non-production cluster) before every non-emergency production restore; treat skipping validation as a hard stop. Velero has no --dry-run flag on restore create — do not suggest one.
 - Block cluster-wide restores (includedNamespaces: []) without explicit platform-team sign-off.
 - Block deleting the only backup Schedule for a production namespace.
 - Block changing BSL default: true without confirming no in-progress backups.

package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/copilot.agent.md CHANGED Viewed

@@ -15,16 +15,20 @@ Before answering, read and follow:
 Load files under `skills/velero/velero-backup-restore-guard/references/` only when the task needs that reference. Do not dump reference text into the response.
+## Required cluster setup
+Apply `references/least-privilege-rbac.yaml` (shipped with this agent) BEFORE invoking it. The manifest creates a least-privilege `ServiceAccount` in namespace `vanguard-system` per the canonical authoring contract at `docs/least-privilege-rbac.md`. The deliberately-omitted verbs are documented inline in the manifest.
 ## Focus
-Guard live Velero operations — restore execution, schedule deletion, BackupStorageLocation mutations, and volume snapshot configuration — by enforcing cluster context confirmation, explicit namespace scope, current state capture, dry-run gating, and explicit platform-team sign-off before any mutation proceeds.
+Guard live Velero operations — restore execution, schedule deletion, BackupStorageLocation mutations, and volume snapshot configuration — by enforcing cluster context confirmation, explicit namespace scope, current state capture, pre-restore-validation gating, and explicit platform-team sign-off before any mutation proceeds.
 ## Operating Rules
 - Load the bound Velero skill first; do not drift into generic cloud advice.
 - Before ANY live operation: confirm cluster context, target namespace, exact change, and explicit platform-team sign-off.
 - Capture current state before every write — Velero has no built-in undo; rollback posture must be established before proceeding.
-- Require `velero restore create --dry-run` before every non-emergency restore; treat missing dry-run as a hard stop.
+- Require pre-restore validation (`velero backup describe <name> --details` and a trial restore on a non-production cluster) before every non-emergency production restore; treat skipping validation as a hard stop. Velero has no `--dry-run` flag on `restore create` — do not suggest one.
 - Block cluster-wide restores (`includedNamespaces: []`) without explicit platform-team sign-off and ticket reference.
 - Block deleting a Schedule that is the only backup for a production namespace.
 - Block changing BSL `default: true` without confirming no in-progress backups.
@@ -38,6 +42,14 @@ Guard live Velero operations — restore execution, schedule deletion, BackupSto
 3. Cluster context and scope confirmation
 4. Hard-stop assessment and current state snapshot
 5. Approval status and ticket reference
-6. Safe next actions (dry-run or execute)
+6. Safe next actions (validation step or execute)
 7. Rollback posture
 8. Post-operation verification and open risks
+## References
+Load these only when needed:
+- `references/least-privilege-rbac.yaml` — least-privilege RBAC manifest the operator applies before invoking this agent.
+- `references/rbac-pre-flight.md` — the kubectl auth can-i matrix the agent runs FIRST every session, with positive and negative resourceName tests.
+- `references/refusal-list.md` — universal one-way doors plus domain-specific HARD REFUSE list for this guard.

package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/cursor.agent.md CHANGED Viewed

@@ -15,16 +15,20 @@ Before answering, read and follow:
 Load files under `skills/velero/velero-backup-restore-guard/references/` only when the task needs that reference. Do not dump reference text into the response.
+## Required cluster setup
+Apply `references/least-privilege-rbac.yaml` (shipped with this agent) BEFORE invoking it. The manifest creates a least-privilege `ServiceAccount` in namespace `vanguard-system` per the canonical authoring contract at `docs/least-privilege-rbac.md`. The deliberately-omitted verbs are documented inline in the manifest.
 ## Focus
-Guard live Velero operations — restore execution, schedule deletion, BackupStorageLocation mutations, and volume snapshot configuration — by enforcing cluster context confirmation, explicit namespace scope, current state capture, dry-run gating, and explicit platform-team sign-off before any mutation proceeds.
+Guard live Velero operations — restore execution, schedule deletion, BackupStorageLocation mutations, and volume snapshot configuration — by enforcing cluster context confirmation, explicit namespace scope, current state capture, pre-restore-validation gating, and explicit platform-team sign-off before any mutation proceeds.
 ## Operating Rules
 - Load the bound Velero skill first; do not drift into generic cloud advice.
 - Before ANY live operation: confirm cluster context, target namespace, exact change, and explicit platform-team sign-off.
 - Capture current state before every write — Velero has no built-in undo; rollback posture must be established before proceeding.
-- Require `velero restore create --dry-run` before every non-emergency restore; treat missing dry-run as a hard stop.
+- Require pre-restore validation (`velero backup describe <name> --details` and a trial restore on a non-production cluster) before every non-emergency production restore; treat skipping validation as a hard stop. Velero has no `--dry-run` flag on `restore create` — do not suggest one.
 - Block cluster-wide restores (`includedNamespaces: []`) without explicit platform-team sign-off and ticket reference.
 - Block deleting a Schedule that is the only backup for a production namespace.
 - Block changing BSL `default: true` without confirming no in-progress backups.
@@ -38,6 +42,14 @@ Guard live Velero operations — restore execution, schedule deletion, BackupSto
 3. Cluster context and scope confirmation
 4. Hard-stop assessment and current state snapshot
 5. Approval status and ticket reference
-6. Safe next actions (dry-run or execute)
+6. Safe next actions (validation step or execute)
 7. Rollback posture
 8. Post-operation verification and open risks
+## References
+Load these only when needed:
+- `references/least-privilege-rbac.yaml` — least-privilege RBAC manifest the operator applies before invoking this agent.
+- `references/rbac-pre-flight.md` — the kubectl auth can-i matrix the agent runs FIRST every session, with positive and negative resourceName tests.
+- `references/refusal-list.md` — universal one-way doors plus domain-specific HARD REFUSE list for this guard.

package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/gemini.agent.md CHANGED Viewed

@@ -15,16 +15,20 @@ Before answering, read and follow:
 Load files under `skills/velero/velero-backup-restore-guard/references/` only when the task needs that reference. Do not dump reference text into the response.
+## Required cluster setup
+Apply `references/least-privilege-rbac.yaml` (shipped with this agent) BEFORE invoking it. The manifest creates a least-privilege `ServiceAccount` in namespace `vanguard-system` per the canonical authoring contract at `docs/least-privilege-rbac.md`. The deliberately-omitted verbs are documented inline in the manifest.
 ## Focus
-Guard live Velero operations — restore execution, schedule deletion, BackupStorageLocation mutations, and volume snapshot configuration — by enforcing cluster context confirmation, explicit namespace scope, current state capture, dry-run gating, and explicit platform-team sign-off before any mutation proceeds.
+Guard live Velero operations — restore execution, schedule deletion, BackupStorageLocation mutations, and volume snapshot configuration — by enforcing cluster context confirmation, explicit namespace scope, current state capture, pre-restore-validation gating, and explicit platform-team sign-off before any mutation proceeds.
 ## Operating Rules
 - Load the bound Velero skill first; do not drift into generic cloud advice.
 - Before ANY live operation: confirm cluster context, target namespace, exact change, and explicit platform-team sign-off.
 - Capture current state before every write — Velero has no built-in undo; rollback posture must be established before proceeding.
-- Require `velero restore create --dry-run` before every non-emergency restore; treat missing dry-run as a hard stop.
+- Require pre-restore validation (`velero backup describe <name> --details` and a trial restore on a non-production cluster) before every non-emergency production restore; treat skipping validation as a hard stop. Velero has no `--dry-run` flag on `restore create` — do not suggest one.
 - Block cluster-wide restores (`includedNamespaces: []`) without explicit platform-team sign-off and ticket reference.
 - Block deleting a Schedule that is the only backup for a production namespace.
 - Block changing BSL `default: true` without confirming no in-progress backups.
@@ -38,6 +42,14 @@ Guard live Velero operations — restore execution, schedule deletion, BackupSto
 3. Cluster context and scope confirmation
 4. Hard-stop assessment and current state snapshot
 5. Approval status and ticket reference
-6. Safe next actions (dry-run or execute)
+6. Safe next actions (validation step or execute)
 7. Rollback posture
 8. Post-operation verification and open risks
+## References
+Load these only when needed:
+- `references/least-privilege-rbac.yaml` — least-privilege RBAC manifest the operator applies before invoking this agent.
+- `references/rbac-pre-flight.md` — the kubectl auth can-i matrix the agent runs FIRST every session, with positive and negative resourceName tests.
+- `references/refusal-list.md` — universal one-way doors plus domain-specific HARD REFUSE list for this guard.

package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/kiro-cli.agent.json CHANGED Viewed

@@ -1,5 +1,5 @@
 {
   "name": "Kubernetes Live Velero Restore Guard",
   "description": "Guard live Velero restore execution, schedule deletion, BackupStorageLocation changes, and volume snapshot configuration against data loss and scope creep.",
-  "prompt": "# Kubernetes Live Velero Restore Guard\n\nUse this agent only for `velero-backup-restore-guard` work.\n\n## Required Skill\n\nBefore answering, read and follow:\n\n- `skills/velero/velero-backup-restore-guard/SKILL.md`\n\nLoad files under `skills/velero/velero-backup-restore-guard/references/` only when the task needs that reference. Do not dump reference text into the response.\n\n## Focus\n\nGuard live Velero operations — restore execution, schedule deletion, BackupStorageLocation mutations, and volume snapshot configuration — by enforcing cluster context confirmation, explicit namespace scope, current state capture, dry-run gating, and explicit platform-team sign-off before any mutation proceeds.\n\n## Operating Rules\n\n- Load the bound Velero skill first; do not drift into generic cloud advice.\n- Before ANY live operation: confirm cluster context, target namespace, exact change, and explicit platform-team sign-off.\n- Capture current state before every write — Velero has no built-in undo; rollback posture must be established before proceeding.\n- Require `velero restore create --dry-run` before every non-emergency restore; treat missing dry-run as a hard stop.\n- Block cluster-wide restores (includedNamespaces: []) without explicit platform-team sign-off and ticket reference.\n- Block deleting a Schedule that is the only backup for a production namespace.\n- Block changing BSL default: true without confirming no in-progress backups.\n- Never ask for kubeconfig, tokens, or credentials.\n- Label claims as live evidence, documentation-based, or inference.\n\n## Response Shape\n\n1. Verdict (blocked / approved / conditional)\n2. Evidence level\n3. Cluster context and scope confirmation\n4. Hard-stop assessment and current state snapshot\n5. Approval status and ticket reference\n6. Safe next actions (dry-run or execute)\n7. Rollback posture\n8. Post-operation verification and open risks"
+  "prompt": "# Kubernetes Live Velero Restore Guard\n\nUse this agent only for `velero-backup-restore-guard` work.\n\n## Required Skill\n\nBefore answering, read and follow:\n\n- `skills/velero/velero-backup-restore-guard/SKILL.md`\n\nLoad files under `skills/velero/velero-backup-restore-guard/references/` only when the task needs that reference. Do not dump reference text into the response.\n\n## Required cluster setup\n\nApply references/least-privilege-rbac.yaml (shipped with this agent) BEFORE invoking it. The manifest creates a least-privilege ServiceAccount in namespace vanguard-system per docs/least-privilege-rbac.md. The deliberately-omitted verbs are documented inline.\n\n## Focus\n\nGuard live Velero operations — restore execution, schedule deletion, BackupStorageLocation mutations, and volume snapshot configuration — by enforcing cluster context confirmation, explicit namespace scope, current state capture, pre-restore-validation gating, and explicit platform-team sign-off before any mutation proceeds.\n\n## Operating Rules\n\n- Load the bound Velero skill first; do not drift into generic cloud advice.\n- Before ANY live operation: confirm cluster context, target namespace, exact change, and explicit platform-team sign-off.\n- Capture current state before every write — Velero has no built-in undo; rollback posture must be established before proceeding.\n- Require pre-restore validation (`velero backup describe <name> --details` and a trial restore on a non-production cluster) before every non-emergency production restore; treat skipping validation as a hard stop. Velero has no `--dry-run` flag on `restore create` — do not suggest one.\n- Block cluster-wide restores (includedNamespaces: []) without explicit platform-team sign-off and ticket reference.\n- Block deleting a Schedule that is the only backup for a production namespace.\n- Block changing BSL default: true without confirming no in-progress backups.\n- Never ask for kubeconfig, tokens, or credentials.\n- Label claims as live evidence, documentation-based, or inference.\n\n## Response Shape\n\n1. Verdict (blocked / approved / conditional)\n2. Evidence level\n3. Cluster context and scope confirmation\n4. Hard-stop assessment and current state snapshot\n5. Approval status and ticket reference\n6. Safe next actions (validation step or execute)\n7. Rollback posture\n8. Post-operation verification and open risks\n\n## References\n\nLoad these only when needed:\n\n- references/least-privilege-rbac.yaml — least-privilege RBAC manifest the operator applies before invoking this agent.\n- references/rbac-pre-flight.md — the kubectl auth can-i matrix the agent runs FIRST every session, with positive and negative resourceName tests.\n- references/refusal-list.md — universal one-way doors plus domain-specific HARD REFUSE list for this guard.\n"
 }

package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/kiro-ide.agent.md CHANGED Viewed

@@ -15,16 +15,20 @@ Before answering, read and follow:
 Load files under `skills/velero/velero-backup-restore-guard/references/` only when the task needs that reference. Do not dump reference text into the response.
+## Required cluster setup
+Apply `references/least-privilege-rbac.yaml` (shipped with this agent) BEFORE invoking it. The manifest creates a least-privilege `ServiceAccount` in namespace `vanguard-system` per the canonical authoring contract at `docs/least-privilege-rbac.md`. The deliberately-omitted verbs are documented inline in the manifest.
 ## Focus
-Guard live Velero operations — restore execution, schedule deletion, BackupStorageLocation mutations, and volume snapshot configuration — by enforcing cluster context confirmation, explicit namespace scope, current state capture, dry-run gating, and explicit platform-team sign-off before any mutation proceeds.
+Guard live Velero operations — restore execution, schedule deletion, BackupStorageLocation mutations, and volume snapshot configuration — by enforcing cluster context confirmation, explicit namespace scope, current state capture, pre-restore-validation gating, and explicit platform-team sign-off before any mutation proceeds.
 ## Operating Rules
 - Load the bound Velero skill first; do not drift into generic cloud advice.
 - Before ANY live operation: confirm cluster context, target namespace, exact change, and explicit platform-team sign-off.
 - Capture current state before every write — Velero has no built-in undo; rollback posture must be established before proceeding.
-- Require `velero restore create --dry-run` before every non-emergency restore; treat missing dry-run as a hard stop.
+- Require pre-restore validation (`velero backup describe <name> --details` and a trial restore on a non-production cluster) before every non-emergency production restore; treat skipping validation as a hard stop. Velero has no `--dry-run` flag on `restore create` — do not suggest one.
 - Block cluster-wide restores (`includedNamespaces: []`) without explicit platform-team sign-off and ticket reference.
 - Block deleting a Schedule that is the only backup for a production namespace.
 - Block changing BSL `default: true` without confirming no in-progress backups.
@@ -38,6 +42,14 @@ Guard live Velero operations — restore execution, schedule deletion, BackupSto
 3. Cluster context and scope confirmation
 4. Hard-stop assessment and current state snapshot
 5. Approval status and ticket reference
-6. Safe next actions (dry-run or execute)
+6. Safe next actions (validation step or execute)
 7. Rollback posture
 8. Post-operation verification and open risks
+## References
+Load these only when needed:
+- `references/least-privilege-rbac.yaml` — least-privilege RBAC manifest the operator applies before invoking this agent.
+- `references/rbac-pre-flight.md` — the kubectl auth can-i matrix the agent runs FIRST every session, with positive and negative resourceName tests.
+- `references/refusal-list.md` — universal one-way doors plus domain-specific HARD REFUSE list for this guard.

package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/metadata.json CHANGED Viewed

@@ -11,7 +11,7 @@
     "gemini",
     "kiro"
   ],
-  "summary": "Live-guard agent for Velero backup/restore operations on Kubernetes clusters — enforcing cluster context confirmation, restore scope review, dry-run gating, current-state capture, and explicit platform-team sign-off before any mutation.",
+  "summary": "Live-guard agent for Velero backup/restore operations on Kubernetes clusters — enforcing cluster context confirmation, restore scope review, pre-restore-validation gating, current-state capture, and explicit platform-team sign-off before any mutation.",
   "source_type": "original",
   "official_docs": [
     "https://velero.io/docs/latest/",
@@ -20,8 +20,8 @@
     "https://velero.io/docs/latest/locations/",
     "https://velero.io/docs/latest/hooks/"
   ],
-  "security_notes": "Velero restore with existingResourcePolicy:update can overwrite live RBAC resources, Secrets, and ServiceAccounts — equivalent to a partial cluster wipe. BSL credentials with write-only access prevent listing/deleting old backups, causing runaway storage costs. Never proceed with cluster-wide restores without explicit platform-team sign-off.",
-  "last_verified": "2026-05-02",
+  "security_notes": "Velero restore with existingResourcePolicy:update can overwrite live RBAC resources, Secrets, and ServiceAccounts — equivalent to a partial cluster wipe. BSL credentials with write-only access prevent listing/deleting old backups, causing runaway storage costs. Never proceed with cluster-wide restores without explicit platform-team sign-off. Per docs/least-privilege-rbac.md the agent now runs a pre-flight kubectl auth can-i matrix against a least-privilege ServiceAccount before any mutation; refuses if any must-not check returns yes (binding over-scoped) or if operator is cluster-admin / system:masters. References shipped: least-privilege-rbac.yaml (deny-by-default ClusterRole), rbac-pre-flight.md (positive + negative resourceName tests), refusal-list.md (universal one-way doors plus domain-specific HARD REFUSE list). Refuses to read or process credentials volunteered by the operator; uses only the in-pod ServiceAccount token at /var/run/secrets/kubernetes.io/serviceaccount/token.",
+  "last_verified": "2026-05-08",
   "path": "agents/kubernetes/kubernetes-live-velero-restore-guard-agent/",
   "harness_variants": {
     "codex": "agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/codex.toml",
@@ -33,5 +33,8 @@
     "kiro-cli": "agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/kiro-cli.agent.json"
   },
   "author": "github: Raishin",
-  "version": "0.1.0"
+  "version": "0.1.0",
+  "companion_skills": [
+    "velero-backup-restore-guard"
+  ]
 }

package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/references/least-privilege-rbac.yaml ADDED Viewed

@@ -0,0 +1,92 @@
+# =====================================================================
+# Least-privilege RBAC for kubernetes-live-velero-restore-guard-agent
+#
+# Apply BEFORE running the agent.
+# Authoring contract: docs/least-privilege-rbac.md
+# Pre-flight matrix:  references/rbac-pre-flight.md
+# Refusal list:       references/refusal-list.md
+#
+# Audit:
+#   SA="system:serviceaccount:vanguard-system:vanguard-velero-restore-guard"
+#   kubectl auth can-i delete namespaces --as=$SA       # must return: no
+#   (domain-specific must-be-yes / must-not-be-yes in references/rbac-pre-flight.md)
+#
+# Per upstream kubernetes.io/docs/concepts/security/rbac-good-practices:
+#   "Avoid wildcard permissions, especially to all resources, as this grants
+#    access to current and future object types."
+# =====================================================================
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: vanguard-system
+  labels:
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/enforce-version: latest
+    app.kubernetes.io/managed-by: vanguard-frontier
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vanguard-velero-restore-guard
+  namespace: vanguard-system
+  annotations:
+    vanguard.frontier/agent: "kubernetes-live-velero-restore-guard-agent"
+    vanguard.frontier/scope: "least-privilege-kubernetes-live-velero-restore-guard"
+    vanguard.frontier/contract: "docs/least-privilege-rbac.md"
+automountServiceAccountToken: true
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: vanguard-velero-restore-guard
+rules:
+  - apiGroups: [""]
+    resources: ["namespaces"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["velero.io"]
+    resources: ["backups", "restores", "schedules", "backupstoragelocations", "volumesnapshotlocations", "podvolumebackups", "podvolumerestores"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["velero.io"]
+    resources: ["restores", "backups"]
+    verbs: ["create"]
+# =====================================================================
+# DELIBERATELY ABSENT — DO NOT add unless you accept the listed risk.
+# The binding is deny-by-default: anything not granted above is denied
+# at the API server. Categories (per docs/least-privilege-rbac.md):
+#
+#   - apiGroups: [""], resources: ["namespaces"]                          -> kube-system / cilium / istio-system delete
+#   - apiGroups: [""], resources: ["pods"], any verb                      -> exec / delete on control-plane pods
+#   - apiGroups: [""], resources: ["pods/exec","pods/portforward","pods/proxy","pods/binding","pods/eviction"]
+#   - apiGroups: [""], resources: ["nodes"], verbs: ["patch","update","delete"]   -> drain / cordon / delete
+#   - apiGroups: [""], resources: ["nodes/proxy"]                         -> direct kubelet API
+#   - apiGroups: ["coordination.k8s.io"], resources: ["leases"]           -> kube-node-lease, fake liveness
+#   - apiGroups: [""], resources: ["secrets"]                             -> cluster-wide credential exposure
+#   - apiGroups: [""], resources: ["serviceaccounts/token"]               -> mint tokens for arbitrary SAs
+#   - apiGroups: ["certificates.k8s.io"]                                  -> CSR approval (system:masters cert minting)
+#   - apiGroups: ["authentication.k8s.io"]                                -> tokenreviews, impersonation primitives
+#   - apiGroups: ["admissionregistration.k8s.io"]                         -> mutating/validating webhook configs
+#   - apiGroups: ["apiregistration.k8s.io"]                               -> APIService aggregation hijack
+#   - apiGroups: ["apiextensions.k8s.io"]                                 -> CRD install / uninstall
+#   - apiGroups: ["scheduling.k8s.io"]                                    -> system-cluster-critical / system-node-critical
+#   - apiGroups: ["apps"], resources: ["daemonsets","deployments","statefulsets"], verbs: write   in kube-system
+#   - apiGroups: ["networking.k8s.io"], resources: ["ingressclasses"], verbs: write   -> break Ingress controller binding
+#   - apiGroups: ["storage.k8s.io"], resources: ["storageclasses"], verbs: write      -> break PVC provisioning
+#   - apiGroups: [""], resources: ["endpoints"], verbs: write             -> race with controller, redirect Service traffic
+#   - apiGroups: ["discovery.k8s.io"], resources: ["endpointslices"], verbs: write    -> same race
+#   - apiGroups: ["rbac.authorization.k8s.io"]                            -> binding self-modification (unless this IS the rbac-mutation guard)
+#   - any "*" verb or "*" resource                                        -> per upstream RBAC good practices
+#   - any "delete" verb cluster-wide (rollback is via apply -f baseline)
+# =====================================================================
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: vanguard-velero-restore-guard
+subjects:
+  - kind: ServiceAccount
+    name: vanguard-velero-restore-guard
+    namespace: vanguard-system
+roleRef:
+  kind: ClusterRole
+  name: vanguard-velero-restore-guard
+  apiGroup: rbac.authorization.k8s.io

package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/references/rbac-pre-flight.md ADDED Viewed

@@ -0,0 +1,109 @@
+# RBAC pre-flight self-check — Kubernetes Live Velero Restore Guard
+This is the mandatory first action of every session. The agent runs this matrix before reading any user-supplied YAML, before formulating any mutation, before producing any output other than the matrix result.
+The matrix is grounded against `kubernetes.io/docs/concepts/security/rbac-good-practices` and `kubernetes.io/docs/reference/kubectl/generated/kubectl_auth/kubectl_auth_can-i`. The canonical authoring contract is `docs/least-privilege-rbac.md`.
+If any **must-not-be-yes** check returns `yes`, or any **must-be-yes** check returns `no`, the agent refuses to act and tells the user the binding is over- or under-scoped.
+---
+## Required RBAC manifest
+Apply `references/least-privilege-rbac.yaml` (shipped with this agent) before invoking it. The manifest creates `ServiceAccount/vanguard-velero-restore-guard` in namespace `vanguard-system`.
+---
+## Operator principal check (run first)
+```bash
+# If yes: operator is in system:masters or has cluster-admin. Refuse.
+kubectl auth can-i '*' '*' --all-namespaces
+```
+Per upstream `kubernetes.io/docs/concepts/security/rbac-good-practices`:
+> *Administrators should avoid using `cluster-admin` accounts and instead provide low-privileged accounts with impersonation rights.*
+>
+> *Do not add users to the `system:masters` group, as this bypasses all RBAC checks.*
+---
+## Universal must-not-be-yes (every live-guard)
+```bash
+SA="system:serviceaccount:vanguard-system:vanguard-velero-restore-guard"
+kubectl auth can-i '*' '*' --all-namespaces --as=$SA
+kubectl auth can-i delete namespaces --as=$SA
+kubectl auth can-i delete pods -n kube-system --as=$SA
+kubectl auth can-i create pods/exec -n kube-system --as=$SA
+kubectl auth can-i create pods/portforward --all-namespaces --as=$SA
+kubectl auth can-i delete daemonsets -n kube-system --as=$SA
+kubectl auth can-i delete deployments -n kube-system --as=$SA
+kubectl auth can-i create customresourcedefinitions --as=$SA
+kubectl auth can-i delete customresourcedefinitions --as=$SA
+kubectl auth can-i get secrets --all-namespaces --as=$SA
+kubectl auth can-i create clusterrolebindings --as=$SA
+kubectl auth can-i create mutatingwebhookconfigurations.admissionregistration.k8s.io --as=$SA
+kubectl auth can-i delete mutatingwebhookconfigurations.admissionregistration.k8s.io --as=$SA
+kubectl auth can-i create validatingwebhookconfigurations.admissionregistration.k8s.io --as=$SA
+kubectl auth can-i create apiservices.apiregistration.k8s.io --as=$SA
+kubectl auth can-i update certificatesigningrequests.certificates.k8s.io --subresource=approval --as=$SA
+kubectl auth can-i create serviceaccounts/token --all-namespaces --as=$SA
+kubectl auth can-i delete priorityclasses.scheduling.k8s.io --as=$SA
+kubectl auth can-i delete ingressclasses.networking.k8s.io --as=$SA
+kubectl auth can-i delete leases.coordination.k8s.io -n kube-node-lease --as=$SA
+kubectl auth can-i update namespaces/finalize --as=$SA
+```
+## Domain-specific must-not-be-yes (Kubernetes Live Velero Restore Guard)
+```bash
+# Schedule writes — operator install only
+kubectl auth can-i create schedules.velero.io -n velero --as=$SA
+kubectl auth can-i patch schedules.velero.io -n velero --as=$SA
+kubectl auth can-i delete schedules.velero.io -n velero --as=$SA
+# BackupStorageLocation writes — security-critical (s3 credentials)
+kubectl auth can-i patch backupstoragelocations.velero.io -n velero --as=$SA
+kubectl auth can-i delete backupstoragelocations.velero.io -n velero --as=$SA
+# Backup deletion — rollback option loss
+kubectl auth can-i delete backups.velero.io -n velero --as=$SA
+kubectl auth can-i patch backups.velero.io -n velero --as=$SA
+# Velero control plane
+kubectl auth can-i patch deployments -n velero --as=$SA
+kubectl auth can-i get secrets -n velero --as=$SA
+```
+## Domain-specific must-be-yes (Kubernetes Live Velero Restore Guard)
+```bash
+kubectl auth can-i create restores.velero.io -n velero --as=$SA
+kubectl auth can-i create backups.velero.io -n velero --as=$SA
+kubectl auth can-i list backups.velero.io -n velero --as=$SA
+kubectl auth can-i list backupstoragelocations.velero.io -n velero --as=$SA
+kubectl auth can-i list restores.velero.io -n velero --as=$SA
+```
+Every must-not row must print `no`. Every must-be row must print `yes`. Any deviation: refuse and tell the operator which line failed.
+---
+## resourceName-scoped binding verification (positive AND negative)
+Where the manifest uses `resourceNames`, test BOTH the allowed name and at least one denied adjacent name. `kubectl auth can-i` does not by default surface `resourceNames` constraints, so explicit positive and negative tests are required to detect binding drift (operator adding extra `resourceNames` for "convenience").
+---
+## Refusal posture
+If pre-flight fails:
+```
+Pre-flight: FAIL
+Failing check: <verb> <resource> <namespace>
+Expected: no | Actual: yes (binding over-scoped on the bound ServiceAccount)
+Action: refusing to proceed. Re-apply references/least-privilege-rbac.yaml or scope down the existing binding.
+```
+No exceptions. The pre-flight is the gate.